Skip to main content
SpringerLink
Log in

Attacking the Verification Code Mechanism in the Norwegian Internet Voting System

  • Conference paper
Book cover E-Voting and Identify (Vote-ID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7985))

Included in the following conference series:

Abstract

The security of the Norwegian Internet voting system depends strongly on the implemented verification code mechanism, which allows voters to verify if their vote has been cast and recorded as intended. For this to work properly, a secure and independent auxiliary channel for transmitting the verification codes to the voters is required. The Norwegian system assumes that SMS satisfies the necessary requirements for such a channel. This paper demonstrates that this is no longer the case today. If voters use smartphones or tablet computers for receiving SMS messages, a number of new attack scenarios appear. We show how an adversary may exploit these scenarios in systems providing vote updating and point out the consequences for the vote integrity in the Norwegian system. We also give a list of possible counter-measures and system enhancements to prevent and detect such attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ansper, A., Heiberg, S., Lipmaa, H., Øverland, T.A., van Laenen, F.: Security and trust for the Norwegian e-voting pilot project E-Valg 2011. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 207–222. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  2. Benzmüller, R.: MalwareReport: Half-yearly report (January-June 2012). Tech. rep., G Data SecurityLabs (2012)

    Google Scholar 

  3. Chaum, D., Carback, R., Clark, J., Essex, A., Popoveniuc, S., Rivest, R.L., Ryan, P.Y.A., Shen, E., Sherman, A.T., Vora, P.L.: Scantegrity II: End-to-end verifiability by voters of optical scan elections through confirmation codes. IEEE Transactions on Information Forensics and Security 4(4), 611–627 (2009)

    Article  Google Scholar 

  4. Chevallier, M., Warynski, M., Sandoz, A.: Success factors of Geneva’s e-voting system. Electronic Journal of e-Government 4(2), 71–78 (2006)

    Google Scholar 

  5. Cortier, V., Wiedling, C.: A formal analysis of the Norwegian E-voting protocol. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 109–128. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  6. Gebhardt Stenerud, I.S., Bull, C.: When reality comes knocking–Norwegian experiences with verifiable electronic voting. In: 5th International Workshop on Electronic Voting, EVOTE 2012, Bregenz, Austria, pp. 21–33 (2012)

    Google Scholar 

  7. Gjøsteen, K.: Analysis of an internet voting protocol. IACR Cryptology ePrint Archive 2010/380 (2010)

    Google Scholar 

  8. Haenni, R., Koenig, R.E.: Voting over the Internet on an insecure platform. In: Design, Development, and Use of Secure Electronic Voting Systems. IGI Global (accepted, 2013)

    Google Scholar 

  9. Heiberg, S., Lipmaa, H., van Laenen, F.: On e-vote integrity in the case of malicious voter computers. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 373–388. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  10. Helbach, J., Schwenk, J.: Secure internet voting with code sheets. In: Alkassar, A., Volkamer, M. (eds.) VOTE-ID 2007. LNCS, vol. 4896, pp. 166–177. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  11. Helbach, J., Schwenk, J., Schäge, S.: Code voting with linkable group signatures. In: Krimmer, R., Grimm, R. (eds.) 3rd International Workshop on Electronic Voting, EVOTE 2008. Lecture Notes in Informatics, vol. P-131, pp. 209–222. Gesellschaft für Informatik E.V., Bregenz (2008)

    Google Scholar 

  12. Hubacher, I.: Management Demo: Intercepting SMS. Bachelor thesis, Bern University of Applied Sciences, Biel, Switzerland (2011)

    Google Scholar 

  13. Joaquim, R., Ribeiro, C., Ferreira, P.: Improving remote voting security with codeVoting. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 310–329. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  14. Kalige, E., Burkey, D.: A case study of Eurograbber: How 36 million euros was stolen via malware. Tech. rep., Versafe & Check Point Software Technologie (2012)

    Google Scholar 

  15. Klaus, S., Brei, D.: Sicherheit von E-Banking auf Smart-Platforms. Bachelor thesis, Bern University of Applied Sciences, Biel, Switzerland (2013)

    Google Scholar 

  16. Lipmaa, H.: Two simple code-verification voting protocols. IACR Cryptology ePrint Archive 2011/317 (2011)

    Google Scholar 

  17. Meyer, U., Wetzel, S.: On the impact of GSM encryption and man-in-the-middle attacks on the security of interoperating GSM/UMTS networks. In: 15th IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, PIMRC 2004, Barcelona, Spain, vol. 4, pp. 2876–2883 (2004)

    Google Scholar 

  18. Øberg, M.W.: Improving the Norwegian Internet Voting Protocol. Master’s thesis, Norwegian University of Science and Technology (2011)

    Google Scholar 

  19. Oppliger, R., Schwenk, J., Helbach, J.: Protecting code voting against vote selling. In: 4. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V., Sicherheit 2008, Saarbrücken, Germany, pp. 193–204 (2008)

    Google Scholar 

  20. Perez, D., Pico, J.: A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications. White paper, Taddong S.L. (2011)

    Google Scholar 

  21. Ryan, P.Y.A.: Prêt à voter with confirmation codes. In: Shacham, H., Teague, V. (eds.) Electronic Voting Technology Workshop/Workshop on Trustworthy Elections, EVT/WOTE 2011, San Francisco, USA (2011)

    Google Scholar 

  22. Ryan, P.Y.A., Teague, V.: Pretty good democracy. In: Christianson, B., Malcolm, J.A., Matyáš, V., Roe, M. (eds.) Security Protocols 2009. LNCS, vol. 7028, pp. 111–130. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  23. Schläpfer, M., Volkamer, M.: The secure platform problem: Taxonomy and analysis of existing proposals to address this problem. In: 6th International Conference on Theory and Practice of Electronic Governance, ICEGOV 2012, Albany, USA (2012)

    Google Scholar 

  24. Song, Y., Zhou, K., Chen, X.: Fake BTS attacks of GSM system on software radio platform. Journal of Networks 7(2), 275–281 (2012)

    Article  Google Scholar 

  25. Spycher, O., Volkamer, M., Koenig, R.: Transparency and technical measures to establish trust in Norwegian Internet voting. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 19–35. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  26. van den Broek, F.: Catching and Understanding GSM-Signals. Master’s thesis, Radboud University Nijmegen (2010)

    Google Scholar 

  27. von Bergen, P.: Analyse du code source de l’application d’e-voting de Genève. Project report, Bern University of Applied Sciences, Biel, Switzerland (2013)

    Google Scholar 

  28. Weigold, T., Hiltgen, A.: Secure confirmation of sensitive transaction data in modern Internet banking services. In: World Congress on Internet Security, WorldCIS 2011, London, U.K., pp. 125–132 (2011)

    Google Scholar 

  29. Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich Trusted Information Channel – An efficient defence against man-in-the-middle and malicious software attacks. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 75–91. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Bern University of Applied Sciences, CH-2501, Biel, Switzerland

    Reto E. Koenig, Philipp Locher & Rolf Haenni

Authors
  1. Reto E. Koenig
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Philipp Locher
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rolf Haenni
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Surrey, Guildford, UK

    James Heather

  2. University of Surrey, GU2 7XH, Guildford, Surrey, UK

    Steve Schneider

  3. Dept. Computer Science and Software, The University of Melbourne, 3010, Parkville, VIC, Australia

    Vanessa Teague

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Koenig, R.E., Locher, P., Haenni, R. (2013). Attacking the Verification Code Mechanism in the Norwegian Internet Voting System. In: Heather, J., Schneider, S., Teague, V. (eds) E-Voting and Identify. Vote-ID 2013. Lecture Notes in Computer Science, vol 7985. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39185-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39185-9_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39184-2

  • Online ISBN: 978-3-642-39185-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation